CVE-2016-10109

NameCVE-2016-10109
DescriptionUse-after-free vulnerability in pcsc-lite before 1.8.20 allows a remote attackers to cause denial of service (crash) via a command that uses "cardsList" after the handle has been released through the SCardReleaseContext function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-778-1, DSA-3752-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pcsc-lite (PTS)wheezy1.8.4-1+deb7u1vulnerable
wheezy (security)1.8.4-1+deb7u2fixed
jessie (security), jessie1.8.13-1+deb8u1fixed
stretch1.8.20-1fixed
buster, sid1.8.22-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pcsc-litesource(unstable)1.8.20-1medium
pcsc-litesourcejessie1.8.13-1+deb8u1mediumDSA-3752-1
pcsc-litesourcewheezy1.8.4-1+deb7u2mediumDLA-778-1

Notes

https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=697fe05967af7ea215bcd5d5774be587780c9e22
https://anonscm.debian.org/cgit/pcsclite/PCSC.git/commit/?id=3aaab9d998b5deb16a246cc7517e44144d281d3b
http://www.openwall.com/lists/oss-security/2017/01/03/2

Search for package or bug name: Reporting problems